Privacy

The Court of Justice of the European Union (CJEU) declared invalid the so-called Safe Harbor decision of April 26, 2000 of the European Commission which allowed US platforms and OTTs such as Facebook, Amazon, Google and others to transfer and gather in the United States personal data of European citizens (Case C-362/14 Maximillian Schrems vs Data Protection Commissioner). The text of the judgment can be found here.

The judgment of the EU Court will have various fundamental consequences on the business of the US OTTs in Europe. In particular, the transfer and treatment of personal data of European citizens into US risk to become permanently uncertain and unfit for a proper online business based on profiling and online ads. My first thoughts on this:

a new Safe Harbor decision will not solve the problems. The CJEU confirmed that national supervisory authorities remain competent to examine whether the transfer of individuals data to third countries complies with the requirements requested by the directive on data protection (Directive 95/46). This will make it for a very different business environment for US based platforms and OTTs in the EU; as a matter of fact, such companies from now on will be running the risk of having individuals challenging the way their data are processed in the US. Additionally, since most of US OTTs are based in Ireland, the Irish data protection authority will have to manage an enormous, unexpected, and maybe uncalled for, power over the entire US online business;

in any case, it would be difficult to reach and enforce a new Safe Harbor decision. The CJEU clearly stated that the current way the US process personal data is not acceptable, because there are no guarantees as, nor limitations, to the potential interference by US investigation authorities, in particular as to security and anti-terrorism reasons. However, in a joint declaration, Vice-President Timmermans and Commissioner Jourová optimistically declared that “we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic“;

therefore, it seems that the only solution will be for US OTTs to store data in the EU, rather than in the US, if they want to continue to carry out business in the EU. This means they will have to create new and separate data processing centers in the US and the EU respectively. It will be a kind of structural separation for personal data;

for some OTTs this forced structural separation of personal data will be a disaster, since their business, based of profiling for advertising and marketing, will become much less interesting if data could not be compared and profiled all together.

to overcome this issue, an enormous political effort should be done between US and EU. In particular the US should accept to discuss, and comply with, the data protection standards as indicated by the European Court. However, this is very unlikely to happen in the short term.

In the short term, US OTTs will continue to carry on their business, since the transfer of data to third countries may happen (art. 26 of the Data Protection Directive) also via other alternative means, such as with the consent of interested parties, the application of the so-called Binding Corporate Rules or the use of standard contractual clauses. However, such instruments do not constitute a viable, long-term solution in the present circumstances, since the judgement clearly applies, as far as mass surveillance is concerned, to any alternative transfer methods. In other words, the CJEU has not argued only under the Safe Harbor decision, but has based the judgement on fundamental rights that apply no matter which transfer methods are used.

The case started with a series of complaints filed with the Spanish Data Protection Agency (AEPD). A specific claim concerned some information, published on the popular newspapers La Vanguardia, reporting financial difficulties of the claimant (the sale of some estates). The claimant wished such information to disappear from the web, because the financial difficulties had been solved, and therefore he asked the newspaper to remove it and Google to disable the links when googling his name. Remarkably, the case against the newspaper was lost, because AEPD found that such information were true and lawful and therefore one could interfere with the freedom of the newspaper. By contrast, AEPD upheld the complaint against Google and its Spanish subsidiary, Google Spain, calling the dominant search engine to take the necessary measures to withdraw the data from their index and to render future access to the information impossible via their search engine. Google and Google Spain appealed against that decision before the Spanish courts and the case was then submitted to the CJEU in Luxembourg.

The application of European data protection rules to Google and, in general, to extra-EU Internet operators

According to the European judges, a search engine is subject to European data protection rules even if it is establihed outside the EU, provided that the relevant business is directed to European users. Therefore, the simple circumstance that headquarters, main establishment, servers, ecc of a search engine are located abroad, in an extra-european country, is not a reason to skip the European jurisdiction. The European Court held, in this regard, that where personal data are processed to promote and sell in a given Member State (such as Spain, in the case at stake) advertising space offered by the search engine in order to make a revenue, then European rules apply. This conclusion is not surprising, however one should note that the technical details of the case (i.e. the fact that the technogical establishment of the data processing are located in the US) had been invoked by Google to dismiss the European/Spanish jurisdiction. Google normally maintains that its search engine business is run by Google Inc., based in California, and then it is subject only to US data protection legislation. In the case at stake, it argued that Google Spain is only responsible for selling advertising on US Google and has no role in the operation of the search engine itself. However, AEPD pointed out that Google Inc. indexes Spanish websites using crawlers and robots and uses a Spanish domain name. Moreover the centre of gravity of the litigation was in Spain, concerning information published on a Spanish website, in Spanish language, about Spanish residents.

Remarkably, the issue of the European jurisdiction over Google Inc. had been already debated in a similar case fought in Italy about data protection and minors protection (the famous Vividown case). There the national courts reached similar conclusions (although the finally lost in the merits of the case): the national laws apply to Google because of the territorial target and effects of its business activity. Today’s CJEU’s decision confirms this approach.

The search engine and the right to be forgotten: an attempt to regulate Google?

The merits of the case is more intriguing and rise some legitimate questions. As stated above, the personal data as stake were lawfully published on Spanish newspapers and have not been removed from there. Therefore, one should wonder why the right to be forgotten rule should be applied only to Google, with respect to data stored in servers outside its control. Google respectfully invoked the intermediary liability set forth by the Electronic commerce Directive (directive 2000731/EC). The CJEU, by contrast, took another view:

“… the Court holds that the operator is, in certain circumstances, obliged to remove links to web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person’s name. The Court makes it clear that such an obligation may also exist in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”

Thus, the court refers to “certain circumstances” which must considered by the search engine, or eventually by the national judge in case of disagreement, on the basis of a balance evaluation between the data subject’s rights and those of other internet users with legitimate interests in finding information.

The decision sounds a bit political. The CJEU seems to suggest that in the current Internet ecosystem search engines counts much more than the source of the data:

“….Given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites”

According to the European court, without the indexing and searching activity of Google, such data continue to exist but they are substantially not accessible, thus they are like non-existing. One should wonder whether this conclusion is driven by the fact that Google is the dominant operator in the online search sector. In a very competitive search market, i.e. with a plurality of search engines, the only workable solution would be to remove the information directly at the source. However, in the current markets structure, dominated by Google, the decision of the CJEU seems to be driven by a practical opportunism rather than by a solid legal reasoning.

The interferences with other frameworks

We will continue to talk about this sentence, because it may originates consequences which have not been fully considered by the court. The assumption that a search engine, as in the case of Google in the present case, must be seen as a data controller, opens the doors to large consequences for a wider range of operators, not only search engines. The impact on the Electronic commerce Directive (2000/31/EC) should be also analyzed as well as the regime of ISP liability: was Google acting as a caching, hosting operator, or what else? In addition, the idea that intervening upon indexing rather than removing a content at the source also appears problematic from technological point of view.

In any case, the finding of the CJEU (you may like it or not; I do not like it so much) is remarkable and may be seen as the recognition of the paramount position achieved by search engines, and in particular by Google, in the Internet. Without the search activity as developed until now, information and data disseminated in the Internet have little importance because they cannot be easily found: “I am indexed, then I exist“. The existence of individuals’ data in the Internet is the result of the capability to be reached by third parties, and search engines (Google in particular) enable, and somehow control, such capability.